@ai-sdk/mcp 1.0.49 → 1.0.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/dist/index.js +26 -8
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +26 -8
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
- package/src/tool/oauth.ts +30 -4
package/package.json
CHANGED
package/src/tool/oauth.ts
CHANGED
|
@@ -443,23 +443,30 @@ export async function discoverOAuthProtectedResourceMetadata(
|
|
|
443
443
|
*/
|
|
444
444
|
export function buildDiscoveryUrls(
|
|
445
445
|
authorizationServerUrl: string | URL,
|
|
446
|
-
): { url: URL; type: 'oauth' | 'oidc' }[] {
|
|
446
|
+
): { url: URL; type: 'oauth' | 'oidc'; expectedIssuer: string }[] {
|
|
447
447
|
const url =
|
|
448
448
|
typeof authorizationServerUrl === 'string'
|
|
449
449
|
? new URL(authorizationServerUrl)
|
|
450
450
|
: authorizationServerUrl;
|
|
451
451
|
const hasPath = url.pathname !== '/';
|
|
452
|
-
const
|
|
452
|
+
const rootIssuer = url.origin;
|
|
453
|
+
const urlsToTry: {
|
|
454
|
+
url: URL;
|
|
455
|
+
type: 'oauth' | 'oidc';
|
|
456
|
+
expectedIssuer: string;
|
|
457
|
+
}[] = [];
|
|
453
458
|
|
|
454
459
|
if (!hasPath) {
|
|
455
460
|
urlsToTry.push({
|
|
456
461
|
url: new URL('/.well-known/oauth-authorization-server', url.origin),
|
|
457
462
|
type: 'oauth',
|
|
463
|
+
expectedIssuer: rootIssuer,
|
|
458
464
|
});
|
|
459
465
|
|
|
460
466
|
urlsToTry.push({
|
|
461
467
|
url: new URL('/.well-known/openid-configuration', url.origin),
|
|
462
468
|
type: 'oidc',
|
|
469
|
+
expectedIssuer: rootIssuer,
|
|
463
470
|
});
|
|
464
471
|
|
|
465
472
|
return urlsToTry;
|
|
@@ -469,6 +476,7 @@ export function buildDiscoveryUrls(
|
|
|
469
476
|
if (pathname.endsWith('/')) {
|
|
470
477
|
pathname = pathname.slice(0, -1);
|
|
471
478
|
}
|
|
479
|
+
const pathIssuer = `${url.origin}${pathname}`;
|
|
472
480
|
|
|
473
481
|
urlsToTry.push({
|
|
474
482
|
url: new URL(
|
|
@@ -476,26 +484,41 @@ export function buildDiscoveryUrls(
|
|
|
476
484
|
url.origin,
|
|
477
485
|
),
|
|
478
486
|
type: 'oauth',
|
|
487
|
+
expectedIssuer: pathIssuer,
|
|
479
488
|
});
|
|
480
489
|
|
|
481
490
|
urlsToTry.push({
|
|
482
491
|
url: new URL('/.well-known/oauth-authorization-server', url.origin),
|
|
483
492
|
type: 'oauth',
|
|
493
|
+
expectedIssuer: rootIssuer,
|
|
484
494
|
});
|
|
485
495
|
|
|
486
496
|
urlsToTry.push({
|
|
487
497
|
url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
|
|
488
498
|
type: 'oidc',
|
|
499
|
+
expectedIssuer: pathIssuer,
|
|
489
500
|
});
|
|
490
501
|
|
|
491
502
|
urlsToTry.push({
|
|
492
503
|
url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
|
|
493
504
|
type: 'oidc',
|
|
505
|
+
expectedIssuer: pathIssuer,
|
|
494
506
|
});
|
|
495
507
|
|
|
496
508
|
return urlsToTry;
|
|
497
509
|
}
|
|
498
510
|
|
|
511
|
+
function assertMetadataIssuerMatches(
|
|
512
|
+
metadata: AuthorizationServerMetadata,
|
|
513
|
+
expectedIssuer: string,
|
|
514
|
+
): void {
|
|
515
|
+
if (metadata.issuer !== expectedIssuer) {
|
|
516
|
+
throw new MCPClientOAuthError({
|
|
517
|
+
message: `OAuth authorization server metadata issuer ${metadata.issuer} does not match expected issuer ${expectedIssuer}`,
|
|
518
|
+
});
|
|
519
|
+
}
|
|
520
|
+
}
|
|
521
|
+
|
|
499
522
|
export async function discoverAuthorizationServerMetadata(
|
|
500
523
|
authorizationServerUrl: string | URL,
|
|
501
524
|
{
|
|
@@ -510,7 +533,7 @@ export async function discoverAuthorizationServerMetadata(
|
|
|
510
533
|
|
|
511
534
|
const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
|
|
512
535
|
|
|
513
|
-
for (const { url: endpointUrl, type } of urlsToTry) {
|
|
536
|
+
for (const { url: endpointUrl, type, expectedIssuer } of urlsToTry) {
|
|
514
537
|
const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
|
|
515
538
|
|
|
516
539
|
if (!response) {
|
|
@@ -532,11 +555,14 @@ export async function discoverAuthorizationServerMetadata(
|
|
|
532
555
|
}
|
|
533
556
|
|
|
534
557
|
if (type === 'oauth') {
|
|
535
|
-
|
|
558
|
+
const metadata = OAuthMetadataSchema.parse(await response.json());
|
|
559
|
+
assertMetadataIssuerMatches(metadata, expectedIssuer);
|
|
560
|
+
return metadata;
|
|
536
561
|
} else {
|
|
537
562
|
const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(
|
|
538
563
|
await response.json(),
|
|
539
564
|
);
|
|
565
|
+
assertMetadataIssuerMatches(metadata, expectedIssuer);
|
|
540
566
|
|
|
541
567
|
// MCP spec requires OIDC providers to support S256 PKCE
|
|
542
568
|
if (!metadata.code_challenge_methods_supported?.includes('S256')) {
|